Symfony UX LiveComponent CVE-2026-49215
LOWSeverity by source
Network-delivered CSRF requiring active victim interaction (UI:R, PR:N); integrity-only impact since LiveActions mutate state without inherent data exfiltration.
Lifecycle Timeline
2DescriptionCVE.org
Description
When using symfony/ux-live-component, methods annotated with #[LiveAction] are invokable from the browser and mutate server-side state via AJAX. Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest() gated these invocations on the presence of Accept: application/vnd.live-component+html, with a code comment stating that this acted as a CSRF protection.
The Accept header is a CORS-safelisted request header, so a cross-origin fetch() can set it without triggering a preflight. The header therefore provided no CSRF protection. Any #[LiveAction] could be forged cross-origin against a victim's session.
In practice the attack is mitigated by SameSite=Lax session cookies (Symfony's default), but applications using SameSite=None, credentials: 'include' with a permissive cookie policy, or that have been pivoted from another same-origin vector remained exposed.
Resolution
isLiveComponentRequest() now additionally requires the request header X-Requested-With: XMLHttpRequest. This header is not CORS-safelisted, so the browser issues a preflight OPTIONS request for any cross-origin attempt; Symfony does not advertise CORS for LiveComponent endpoints, the preflight fails, and the real request is blocked before it reaches the application. The bundled Stimulus client already sends X-Requested-With on every LiveComponent request (RequestBuilder.ts), so standard usage is unaffected. Cross-origin callers must add X-Requested-With to their CORS Access-Control-Allow-Headers allow-list.
The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).
Credits
Symfony would like to thank Anthropic (via Project Glasswing) for reporting the issue and Hugo Alliaume for providing the fix.
AnalysisAI
CSRF protection bypass in symfony/ux-live-component allowed cross-origin invocation of any server-side #[LiveAction] method against an authenticated victim's session. The library incorrectly relied on the Accept: application/vnd.live-component+html header as a CSRF guard, but per the Fetch specification §3.2.2 this is a CORS-safelisted header, meaning cross-origin fetch() calls can include it without triggering a preflight OPTIONS request. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: (1) the target application runs symfony/ux-live-component >= 2.22.0,< 2.36.0 or >= 3.0.0, < 3.1.0 without the patch applied; (2) the application exposes at least one method annotated with #[LiveAction] that performs meaningful state mutation; and (3) the victim's session cookie is not protected by SameSite=Lax or SameSite=Strict - specifically, the application must use SameSite=None, or the attacker must have a same-origin foothold (e.g., stored XSS on the same domain) to bypass Lax restrictions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS score was provided by NVD or the vendor for this CVE; the assessed vector below is analyst-derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a web page containing a script that calls fetch('https://victim-app.example.com/live-component-endpoint', { method: 'POST', credentials: 'include', headers: { 'Accept': 'application/vnd.live-component+html' }, body: '...' }). If the victim browses to this page while authenticated and their session cookie is configured with SameSite=None (or the attacker controls same-origin content via XSS), the browser attaches the victim's session cookie without issuing a CORS preflight, and the server processes the forged #[LiveAction] call as if it originated legitimately from the victim's browser. … |
| Remediation | Upgrade symfony/ux-live-component to version 2.36.0 (for 2.x installations) or 3.1.0 (for 3.x installations). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today